The remedy for spyware--not anytime soon, part II

Updated 5/16: Yesterday I blogged the early morning session of the CNET spyware event (MP3 files of all the panel discussions are here--registration required), concluding that the two sides--adware/spyware purveyors and their antitheses--are not far along in formulating a truce that would reduce at least the non-rogue/organized crime induced failures to disclosure and other abuses that result in minor irritants to material harm.

Updated 5/16: Yesterday I blogged the early morning session of the CNET spyware event (MP3 files of all the panel discussions are here--registration required), concluding that the two sides--adware/spyware purveyors and their antitheses--are not far along in formulating a truce that would reduce at least the non-rogue/organized crime induced failures to disclosure and other abuses that result in minor irritants to material harm.

Esther Dyson hosted a panel of adware vendors, who were giving assurances that they want to be on the good side of consumers, while spyware expert Ben Edelman and Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), demonstrated the devious methods and the extended ecosystem the adware vendors use to fuel billions of dollars in revenue. Webroot's recent "State of Spyware Report" claims that pop-up ads, hijacked home pages, redirected Web searches and DNS poisoning to steal Web traffic generate about $2 billion in yearly revenue, a huge slice of the entire online advertising pie.


Claria CEO Jeff McFadden and spyware expert Ben Edelman smiling, but not at each other (photo courtesy Esther Dyson)

Daniel Doman, CTO at Direct-Revenue, said his company is reforming by taking "great pains to make sure software is always uninstallable [and] that all of the clients are branded." He said his company has grown about 1000 percent over the last year, going from 10 to 120 people, including 40 engineers to help improve the reliability and integrity of its adware client. "We are branding our software to  be increasingly transparent and visible to users, and to distinguish ourselves from those not branding software. We are careful not show too many ads per hour or per given day," Doman said. 

Dan Todd, 180solutions COO, came in for the brunt of criticism from the audience of experts, vendors and government officials. Alex Eckelberry accused 180solutions of enabling stealth installs of unwanted software, some of which could be avoided with a programmatic fix. "You worte an application that is completely crackable," Eckelberry said. "My eleven-year-old kid can change the registry." Todd responded, talking about meeting with the antispyware players and trying to develop best practices. He also said that 180solutions, like the other larger adware vendors,  is moving toward using fewer distributors to gain better control of the process.  

Claria CEO Jeff McFadden talked about putting the consumer first and transparency. "Spyware proliferation is an enormous problem for companies like mine. For my business to work, the antispyware companies have to work and to do it correctly," McFadden said.  On the other hand, Claria's biggest bundling partner is Kaaza, which has been known to deliver unwanted, non-disclosed code to computers. "This is an issue we are grappling with all the time. We have only a limited amount of control over how companies distribute," McFadden said. "We have a stringent set of requirements about how our software is described. It's a constant back and forth with people." He concluded that some "clean up" work is required and that the current model for adware is a 1.0 version.

At the end of the day, the adware vendors represented at the workshop walk a fine line, talking about reform but chasing as much revenue as possible through legitimate means, as well as borderline and possibly fraudulent techniques.

As a relatively tame example, Edelman's site chronicles what he calls Claria's misleading installation practices:

Claria says it "keep[s] software free" by offering payments to those who distribute Claria programs to users' PCs. But after examining Claria's installation methods, my sense is that Claria often plays on user confusion, carelessness, or naivete -- including distributing its software in ways that disproportionately target children.
Notable characteristics of this installation:
Bundles Claria advertising software with a game likely to be of particular interest to youth. Details.
Fails to mention privacy effects in any on-screen text. Details.
Mentions advertising, and includes a large graphic, but fails to show an example ad. Details.
Does not mention advertising on the screen at which users are asked to select "I agree." Details.
No uninstaller included in Control Panel. Details.

Other trickery examples include mimicing the design of a site, such as McAfee or PCPitStop, with a popup ad for a competitive, questionable product or inserting a different shopping cart for a different product in a popup. At the other end of the spectrum are the keyloggers, hijacking and other spyware hacks that can lead to serious harm.

"I really think that, much like the spam problem, it will not be solved without a technology solution brought by people in this room, but we have to sit at table and figure this out," McFadden said during the adware panel. Doman chimed in that it's incumbent upon the adware community to police itself and to retroactively police some of the distributions, but that it can't be done unless there is  reasonable agreement and definition about what is appropriate behavior."  Todd mentioned that 180solutions has a code of conduct, which isn't a claim to fame.

It's difficult to take the adware vendor community's desire for self-policing and major reforms seriously at this point. The profit margins and potential growth is simply too enticing. Edelman pointed out that some of the biggest corporations on earth use adware (more politely called behavioral  marketing) and the venture capital investors see huge potential for a big payday. CDT's Schwartz said that there isn't much incentive for the advertisers to self-regulate. In addition, he noted that the adware business model complex (see the Seismic Entertainment complaint filed by the FTC) makes it "extremely difficult to police."  Ralph Terkowitz, an investor in WhenU, said that the adware players have to act more like traditional publishers, establishing good, long-standing relationships with consumers via their brands.   

Some of the vendors see the legislative and litigation writing on the wall--such as the Intermix suit brought by New York attorney general Elliot Spitzer--and are cleaning up their acts, but the adware and spyware underground--companies, individuals and crime syndicates that run beneath the radar and offshore--are elevating their games, keeping the antispyware vendors in business and busy trying to keep up. David Moll, CEO of Webroot, believes that federal legislation that defines the parameters of adware/spyware is critical to reducing the number of bad "actors" abusing consumers and businesses. "I'd rather see a widely adopted, united  federal bill that deals with the situation and gets us on the front line of technology dealing with the problem,  not in the courtroom," Moll said.  However, federal legislation is a partial aid. It's not going to fix foreign or out-of-jurisdiction problems, which are the main cause of our headaches at the moment," said Simon Clauson, CEO of PC Tools. "Potentially, it brings in line the current adware companies and makes sure they follow some standard procedures." 


Webroot CEO David Moll and WhenU investor Ralph Terkowitz share their perspectives

I moderated the final panel with the more prominent antispyware vendors, including Alex Eckelberry, president of Sunbelt Software; Kelly Mackin, director of long range planning, eTrust, Computer Associates; Joe Telafici, director of operations for virus response team, McAfee; Webroot's Moll; and PC Tools' Clausen. The panel consensus was that behavioral analysis, in addition to signature-based techniques, is needed to keep up with the increasingly sophisticated spyware programmers. Instead of looking only for specific signatures, behavioral analysis looks at many vectors, such as events occuring within an application. The assembled group also said that they were making efforts to work together to establish standards and practices. Some are working with the Network Advertising Initiative (NAI), which has a spyware workshop next week in New York.  However, it appears to be at its beginning stage. The executives had never met previous to yesterday's CNET spyware event.

A major issue for the antispyware vendors is deciding who should be listed as an offender, and then quarantined. Vendors create their own definition silos, and it's in their best financial interest to keep the methodology proprietary. As a result, the adware/spyware vendors have to go through arbitration with each vendor, lawsuits are issued, and the end users can't rely on consistent detection and protection. McAfee's Telfici said that trading collections (such as virus definitions) among competitive vendors hasn't caused harm in the more mature antivirus industry, but concerns among the antispyware vendors over commoditization of their industry has so far prevented it from happening.

As a closing argument, Esther challenged both sides to come up with an education campaign and to agree on what behavior is clearly wrong and drive it into the sea. The contingents from both sides support the goal, but that's not much different than a politician voicing support for a bill and then hoping that it doesn't come to a vote...